[Samba] Unable to get primary group information when using AD authentication with samba-4.10.4

Rowland penny rpenny at samba.org
Wed Feb 19 09:01:27 UTC 2020 

On 19/02/2020 02:16, Goto, Ryoichi via samba wrote:
> Hi,
>
> When using AD authentication from a rhel8.1 environment with samba-4.10.4 installed, information on the primary group group01 set on
> the AD side for any user user01 cannot be obtained.
> [root @ rhel8_1 ~] # id user01
> uid=2001107(user01) gid=2000513(domain users) groups=2000513(domain users),2001107(oec0814e),2001103(group01)
> If you perform the same operation on the same AD from the samba-3.6.23 rhel6.6 environment, you will get the correct information as
> follows:
> [root @ rhel6_6 ~] # id user01
> uid=2001107(user01) gid=2001103(group01) groups=2000513(domain users), 2001107(oec0814e)
>
> Regarding this, from the support contact of the OS system, "It seems that there was a problem with samba-4.9.1-8.el8 (RHEL8.0), but
> it has been resolved with samba-4.10.0-1.el8" I received information.
> "However, it is necessary to log in once with the relevant user using" wbinfo -a "." After actually executing "whois -a" arbitrary
> user% that user's password ", the primary group information set in AD on the implementation Linux side could be obtained.
> root @ rhel8_1 ~] # id user01
> uid=2001107(user01) gid=2000513(domain users) groups=2000513(domain users), 2001107(oec0814e),2001103(group01)
> [root @ rhel8_1 ~] # wbinfo -i user01
> user01:*:2001107:2000513::/home/Domain Users/user01:/bin/bash
> [root @ rhel8_1 ~] # wbinfo -a user01% passwd.12
> plaintext password authentication succeeded
> challenge / response password authentication succeeded
> [root @ rhel8_1 ~] # wbinfo -i user01
> user01:*:2001107:2001103:user01:/home/group01/user01:/bin/bash
> [root @ rhel8_1 ~] # id user01
> uid = 2001107 (user01) gid = 2001103 (group01) groups=2001103(group01),2001107(user01),2000513(domain users)
> [root @ rhel8_1 ~] #
>
> However, this is not the solution in my case. Because there are already hundreds of users registered on the AD server so far, most
> of them have set their own passwords, and I can not know those passwords.
> In addition, we cannot ask each user to start the interface program to execute "wbinfo -a" and re-enter the password.
>
> Is there any way to get the primary group of AD registered user on rhel8.1 side by batch processing without using each user's
> password?
>
> Thanks
> R.G.
>
>
Can you please post your smb.conf

Rowland

More information about the samba mailing list